Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2987050pxb;
        Tue, 12 Jan 2021 03:39:54 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxqwItILbc+HzoqDf+tazyhMGwbUQxSfbhBjHvr6FJez/PlcZ45kMS3jmcX1j6XJCSqKHV+
X-Received: by 2002:a17:906:dfd5:: with SMTP id jt21mr2893384ejc.519.1610451594423;
        Tue, 12 Jan 2021 03:39:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610451594; cv=none;
        d=google.com; s=arc-20160816;
        b=Z16bzdvwqgmOA9O0lwNFTL5FIvUaanigjmTjE1nZFSroaVkxWTr4+6eLUJxtErT4yG
         TZV+JunkpZR+ad7GvZE46TvNnHGR7ZftmN1diWheff6t3zt9esuRwhMfB67wglGfzFJ4
         5U9hZKTxXcA4TXqwP2JejhmVhp1Ju+fq868p0VJl7zhxKpa54TPsrW6BsU/psJr4+Ai4
         dfbj9d9niEVs//zh3FBIdT1KUg3srnHB0GpRz/ylUq1X0X14sLA0YcJejP5QsTpei9co
         k/yH2KxPGubfsVRWCttbFUYkO1h7cwjMnNUxQto+ylc1wVxP/V0hzE+2ayWwKqocn22G
         Pv+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=yBGTtO60lRhzhjBUzaj4i2s5sW7EfXTuKGnmunlohWE=;
        b=lhuJYf0NCD2W9HRsQEjqsv3nQbQpRWHSMG7zI1OfFsHUCtUcxvGjcCU0GUCmed2LLX
         h946OaUvHp3rnGS1lpEWiB1K3q2+pIImUd6d4u6u+miVvfqDI/Cesk9EbNSf1FFUHJPT
         d7fkMhb96LHfFkNXPcYWI9Lf4c72oZflQBjSAXLp4d1Lo0pJTL2Nq7f6KKEzAj3TMzw/
         zl4tGCjvPIrzZ5cJYwaQbO/uHzMhqOvQQ7Ts+GND5/+9JoFmv2jcz88jJvwj19lSgn9U
         Xe2rL5PsTqtGEZo261Q7t8XYVG9XqTbPFuC6m/JJvuIe/fqeDE8MFfUTLbXB7haMU7Is
         eXyA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b="hwvbKiO/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d92si1229295edd.33.2021.01.12.03.39.31;
        Tue, 12 Jan 2021 03:39:54 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.com header.s=susede1 header.b="hwvbKiO/";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=suse.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392052AbhALHrR (ORCPT <rfc822;littlelightlittlefire@gmail.com>
        + 99 others); Tue, 12 Jan 2021 02:47:17 -0500
Received: from mx2.suse.de ([195.135.220.15]:37624 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728301AbhALHrR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Jan 2021 02:47:17 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1;
        t=1610437590; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=yBGTtO60lRhzhjBUzaj4i2s5sW7EfXTuKGnmunlohWE=;
        b=hwvbKiO/E+NP9QqEauVNDAoXqNTjumZS4MLitpiS9HlpLmF/1Yfxx5GZBSvryW5wwOIx5i
        aPe3gN854YKDgcGGxg7pMMKmlKDwomzFnegh8MQ78X/ZT2s+vLlhl5UtDI+d1i66gmCFHd
        zDf6PbuIUWr9KLvxPrgtSHGkeBnbUv0=
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id 87EF3AB92;
        Tue, 12 Jan 2021 07:46:30 +0000 (UTC)
Date:   Tue, 12 Jan 2021 08:46:29 +0100
From:   Michal Hocko <mhocko@suse.com>
To:     Suren Baghdasaryan <surenb@google.com>
Cc:     akpm@linux-foundation.org, jannh@google.com, keescook@chromium.org,
        jeffv@google.com, minchan@kernel.org, shakeelb@google.com,
        rientjes@google.com, edgararriaga@google.com, timmurray@google.com,
        linux-mm@kvack.org, selinux@vger.kernel.org,
        linux-api@vger.kernel.org, linux-kernel@vger.kernel.org,
        kernel-team@android.com, Oleg Nesterov <oleg@redhat.com>
Subject: Re: [PATCH v2 1/1] mm/madvise: replace ptrace attach requirement for
 process_madvise
Message-ID: <20210112074629.GG22493@dhcp22.suse.cz>
References: <20210111170622.2613577-1-surenb@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210111170622.2613577-1-surenb@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon 11-01-21 09:06:22, Suren Baghdasaryan wrote:
> process_madvise currently requires ptrace attach capability.
> PTRACE_MODE_ATTACH gives one process complete control over another
> process. It effectively removes the security boundary between the
> two processes (in one direction). Granting ptrace attach capability
> even to a system process is considered dangerous since it creates an
> attack surface. This severely limits the usage of this API.
> The operations process_madvise can perform do not affect the correctness
> of the operation of the target process; they only affect where the data
> is physically located (and therefore, how fast it can be accessed).

Yes it doesn't influence the correctness but it is still a very
sensitive operation because it can allow a targeted side channel timing
attacks so we should be really careful.

> What we want is the ability for one process to influence another process
> in order to optimize performance across the entire system while leaving
> the security boundary intact.
> Replace PTRACE_MODE_ATTACH with a combination of PTRACE_MODE_READ
> and CAP_SYS_NICE. PTRACE_MODE_READ to prevent leaking ASLR metadata
> and CAP_SYS_NICE for influencing process performance.

I have to say that ptrace modes are rather obscure to me. So I cannot
really judge whether MODE_READ is sufficient. My understanding has
always been that this is requred to RO access to the address space. But
this operation clearly has a visible side effect. Do we have any actual
documentation for the existing modes?

I would be really curious to hear from Jann and Oleg (now Cced).

Is CAP_SYS_NICE requirement really necessary?

> Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> Acked-by: Minchan Kim <minchan@kernel.org>
> Acked-by: David Rientjes <rientjes@google.com>
> ---
>  mm/madvise.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/mm/madvise.c b/mm/madvise.c
> index 6a660858784b..a9bcd16b5d95 100644
> --- a/mm/madvise.c
> +++ b/mm/madvise.c
> @@ -1197,12 +1197,22 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
>  		goto release_task;
>  	}
>  
> -	mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS);
> +	/* Require PTRACE_MODE_READ to avoid leaking ASLR metadata. */
> +	mm = mm_access(task, PTRACE_MODE_READ_FSCREDS);
>  	if (IS_ERR_OR_NULL(mm)) {
>  		ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
>  		goto release_task;
>  	}
>  
> +	/*
> +	 * Require CAP_SYS_NICE for influencing process performance. Note that
> +	 * only non-destructive hints are currently supported.
> +	 */
> +	if (!capable(CAP_SYS_NICE)) {
> +		ret = -EPERM;
> +		goto release_mm;
> +	}
> +
>  	total_len = iov_iter_count(&iter);
>  
>  	while (iov_iter_count(&iter)) {
> @@ -1217,6 +1227,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
>  	if (ret == 0)
>  		ret = total_len - iov_iter_count(&iter);
>  
> +release_mm:
>  	mmput(mm);
>  release_task:
>  	put_task_struct(task);
> -- 
> 2.30.0.284.gd98b1dd5eaa7-goog
> 

-- 
Michal Hocko
SUSE Labs